cmstool.cpp   [plain text]

/*
 * cmstool.cpp - manipluate CMS messages, intended to be an alternate for the 
 *		 currently useless cms command in /usr/bin/security
 */
 
#include <Security/Security.h>
#include <security_cdsa_utils/cuFileIo.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <utilLib/common.h>
#include <security_cdsa_utils/cuFileIo.h>
#include <security_cdsa_utils/cuPrintCert.h>
#include <clAppUtils/identPicker.h>
#include <clAppUtils/sslAppUtils.h>
#include <security_cdsa_utils/cuOidParser.h>
#include <CoreFoundation/CoreFoundation.h>
#include <CoreServices/../Frameworks/CarbonCore.framework/Headers/MacErrors.h>
#include <Security/SecCmsEncoder.h>
#include <Security/SecCmsDecoder.h>
#include <Security/SecCmsEncryptedData.h>
#include <Security/SecCmsEnvelopedData.h>
#include <Security/SecCmsMessage.h>
#include <Security/SecCmsRecipientInfo.h>
#include <Security/SecCmsSignedData.h>
#include <Security/SecCmsSignerInfo.h>
#include <Security/SecCmsContentInfo.h>
#include <Security/SecCmsDigestContext.h>
#include <Security/SecTrustPriv.h>
#include <Security/SecKeychainItemPriv.h>
#include <Security/SecCertificate.h>
#include <Security/SecSMIME.h>
#include <Security/oidsattr.h>
#include <Security/SecAsn1Coder.h>
#include <Security/secasn1t.h>
#include <Security/SecAsn1Templates.h>

static void usage(char **argv)
{
    printf("Usage: %s cmd [option ...]\n", argv[0]);
	printf("cmd values:\n");
	printf("   sign       -- create signedData\n");
	printf("   envel      -- create envelopedData\n");
	printf("   signEnv    -- create nested EnvelopedData(signedData(data))\n");
	printf("   parse      -- parse a CMS message file\n");
	printf("Options:\n");
	printf("   -i infile\n");
	printf("   -o outfile\n");
	printf("   -k keychain        -- Keychain to search for certs\n");
	printf("   -p                 -- Use identity picker\n");
	printf("   -r recipient       -- specify recipient of enveloped data\n");
	printf("   -c                 -- parse signer cert\n");
	printf("   -v sign|encr       -- verify message is signed/encrypted\n");
	printf("   -e eContentType    -- a(uthData)|r(keyData)\n");
	printf("   -d detached        -- infile contains detached content (sign only)\n");
	printf("   -D detachedContent -- detached content (parse only)\n");
	printf("   -q                 -- quiet\n");
	exit(1);
}

/* high level op */
typedef enum {
	CTO_Sign,
	CTO_Envelop,
	CTO_SignEnvelop,
	CTO_Parse
} CT_Op;

/* to verify */
typedef enum {
	CTV_None,
	CTV_Sign,
	CTV_Envelop,
	CTV_SignEnvelop
} CT_Vfy;

/* additional OIDS to specify as eContentType */
#define OID_PKINIT	0x2B, 6, 1, 5, 2, 3
#define OID_PKINIT_LEN	6

static const uint8	OID_PKINIT_AUTH_DATA[]	    = {OID_PKINIT, 1};
static const uint8	OID_PKINIT_DH_KEY_DATA[]    = {OID_PKINIT, 2};
static const uint8	OID_PKINIT_RKEY_DATA[]	    = {OID_PKINIT, 3};
static const uint8	OID_PKINIT_KP_CLIENTAUTH[]  = {OID_PKINIT, 3};
static const uint8	OID_PKINIT_KPKDC[]			= {OID_PKINIT, 5};

static const CSSM_OID	CSSMOID_PKINIT_AUTH_DATA = 
	{OID_PKINIT_LEN+1, (uint8 *)OID_PKINIT_AUTH_DATA};
static const CSSM_OID	CSSMOID_PKINIT_DH_KEY_DATA =
	{OID_PKINIT_LEN+1, (uint8 *)OID_PKINIT_DH_KEY_DATA};
static const CSSM_OID	CSSMOID_PKINIT_RKEY_DATA = 
	{OID_PKINIT_LEN+1, (uint8 *)OID_PKINIT_RKEY_DATA};
static const CSSM_OID	CSSMOID_PKINIT_KP_CLIENTAUTH =
	{OID_PKINIT_LEN+1, (uint8 *)OID_PKINIT_KP_CLIENTAUTH};
static const CSSM_OID	CSSMOID_PKINIT_KPKDC = 
	{OID_PKINIT_LEN+1, (uint8 *)OID_PKINIT_KPKDC};

typedef struct {
    CSSM_OID	contentType;
    CSSM_DATA	content;    
} SimpleContentInfo;

const SecAsn1Template SimpleContentInfoTemplate[] = {
    { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(SimpleContentInfo) },
    { SEC_ASN1_OBJECT_ID, offsetof(SimpleContentInfo, contentType) },
    { SEC_ASN1_EXPLICIT | SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | 0, 
	  offsetof(SimpleContentInfo, content),
	  kSecAsn1AnyTemplate },
    { 0, }
};

/*
 * Obtain the content of a contentInfo, This basically strips off the contentType OID
 * and returns a mallocd copy of the ASN_ANY content.
 */
static OSStatus ContentInfoContent(
    const unsigned char *contentInfo,
    unsigned contentInfoLen,
    unsigned char **content,	    /* mallocd and RETURNED */
    unsigned *contentLen)	    /* RETURNED */
{
    SecAsn1CoderRef coder = NULL;
    OSStatus ortn;
    SimpleContentInfo decodedInfo;
    
    ortn = SecAsn1CoderCreate(&coder);
    if(ortn) {
		return ortn;
    }
    memset(&decodedInfo, 0, sizeof(decodedInfo));
    ortn = SecAsn1Decode(coder, contentInfo, contentInfoLen, 
		SimpleContentInfoTemplate, &decodedInfo);
    if(ortn) {
		goto errOut;
    }
    if(decodedInfo.content.Data == NULL) {
	printf("***Error decoding contentInfo: no content\n");
	ortn = internalComponentErr;
		goto errOut;
    }
    *content = (unsigned char *)malloc(decodedInfo.content.Length);
    memmove(*content, decodedInfo.content.Data, decodedInfo.content.Length);
    *contentLen = decodedInfo.content.Length;
errOut:
    SecAsn1CoderRelease(coder);
    return ortn;
}

/*
 * Find a cert in specified keychain or keychain list matching specified 
 * email address. We happen to knopw that the email address is stored with the 
 * kSecKeyAlias attribute. 
 */
static OSStatus findCert(
	const char *emailAddress,
	CFTypeRef kcArArray,			// kc, array, or even NULL
	SecCertificateRef *cert)
{
	OSStatus					ortn;
	SecKeychainSearchRef		srch;
	SecKeychainAttributeList	attrList;
	SecKeychainAttribute		attr;
	
	attr.tag = kSecKeyAlias;
	attr.length = strlen(emailAddress);
	attr.data = (void *)emailAddress;
	attrList.count = 1;
	attrList.attr = &attr;
	
	ortn = SecKeychainSearchCreateFromAttributes(kcArArray,
		kSecCertificateItemClass,
		&attrList,
		&srch);
	if(ortn) {
		cssmPerror("SecKeychainSearchCreateFromAttributes", ortn);
		return ortn;
	}
	
	ortn = SecKeychainSearchCopyNext(srch, (SecKeychainItemRef *)cert);
	if(ortn) {
		printf("***No certs founmd matching recipient %s. Aborting.\n",
			emailAddress);
		return ortn;
	}
	CFRelease(srch);
	return noErr;
}

static void evalSecTrust(
	SecTrustRef secTrust,
	bool quiet)
{
	OSStatus ortn;
	SecTrustResultType			secTrustResult;
	
	ortn = SecTrustEvaluate(secTrust, &secTrustResult);
	if(ortn) {
		/* should never happen */
		cssmPerror("SecTrustEvaluate", ortn);
		return;
	}
	switch(secTrustResult) {
		case kSecTrustResultUnspecified:
			/* cert chain valid, no special UserTrust assignments */
		case kSecTrustResultProceed:
			/* cert chain valid AND user explicitly trusts this */
			if(!quiet) {
				fprintf(stderr, "Successful\n");
			}
			return;
		case kSecTrustResultDeny:
		case kSecTrustResultConfirm:
			/*
			 * Cert chain may well have verified OK, but user has flagged
			 * one of these certs as untrustable.
			 */
			printf("Not trusted per user-specified Trust level\n");
			return;
		default:
		{
			/* get low-level TP error */
			OSStatus tpStatus;
			ortn = SecTrustGetCssmResultCode(secTrust, &tpStatus);
			if(ortn) {
				cssmPerror("SecTrustGetCssmResultCode", ortn);
				return;
			}
			switch(tpStatus) {
				case CSSMERR_TP_INVALID_ANCHOR_CERT: 
					fprintf(stderr, "Untrusted root\n");
					return;
				case CSSMERR_TP_NOT_TRUSTED:
					/* no root, not even in implicit SSL roots */
					fprintf(stderr, "No root cert found\n");
					return;
				case CSSMERR_TP_CERT_EXPIRED:
					fprintf(stderr, "Expired cert\n");
					return;
				case CSSMERR_TP_CERT_NOT_VALID_YET:
					fprintf(stderr, "Cert not valid yet\n");
					break;
				default:
					printf("Other cert failure: ");
					cssmPerror("", tpStatus);
					return;
			}
		}
	} 	/* SecTrustEvaluate error */

}
static OSStatus parseSignedData(
	SecCmsSignedDataRef		signedData,
	SecArenaPoolRef			arena,			/* used for detached content only */
	const unsigned char		*detachedData,
	unsigned				detachedDataLen,
	CT_Vfy					vfyOp,
	bool					quiet,
	bool					parseSignerCert)
{
	Boolean b; 
	b = SecCmsSignedDataHasDigests(signedData);
	if(!quiet) {
		printf("      has digests   : %s\n", b ? "true" : "false");
	}
	
	SecTrustRef secTrust = NULL;
	OSStatus ortn;
	SecPolicyRef policy = NULL;
	SecPolicySearchRef policySearch = NULL;
	
	ortn = SecPolicySearchCreate(CSSM_CERT_X_509v3,
		&CSSMOID_APPLE_X509_BASIC,
		NULL,
		&policySearch);
	if(ortn) {
		cssmPerror("SecPolicySearchCreate", ortn);
		return ortn;
	}
	ortn = SecPolicySearchCopyNext(policySearch, &policy);
	if(ortn) {
		cssmPerror("SecPolicySearchCopyNext", ortn);
		return ortn;
	}
	
	int numSigners = SecCmsSignedDataSignerInfoCount(signedData);
	if(!quiet) {
		printf("      num signers   : %d\n", numSigners);
	}
	for(int dex=0; dex<numSigners; dex++) {
		if(!quiet) {
			fprintf(stderr, "      signer %d      :\n", dex);
			fprintf(stderr, "         vfy status : ");
		}
		Boolean b = SecCmsSignedDataHasDigests(signedData);
		if(b) {
			if(detachedData != NULL) {
				fprintf(stderr, "<provided detachedContent, but msg has digests> ");
				/* FIXME - does this make sense? Error? */
			}
		}
		else if(detachedData != NULL) {
			/* digest the detached content */
			SECAlgorithmID **digestAlgorithms = SecCmsSignedDataGetDigestAlgs(signedData);
			SecCmsDigestContextRef digcx = SecCmsDigestContextStartMultiple(digestAlgorithms);
			CSSM_DATA **digests = NULL;
			
			SecCmsDigestContextUpdate(digcx, detachedData, detachedDataLen);
			ortn = SecCmsDigestContextFinishMultiple(digcx, arena, &digests);
			if(ortn) {
				fprintf(stderr, "SecCmsDigestContextFinishMultiple() returned %d\n", (int)ortn);
			}
			else {
				SecCmsSignedDataSetDigests(signedData, digestAlgorithms, digests);
			}
		}
		else {
			fprintf(stderr, "<Msg has no digest: need detachedContent> ");
		}
		ortn = SecCmsSignedDataVerifySignerInfo(signedData, dex, NULL, 
			policy, &secTrust);
		if(ortn) {
			fprintf(stderr, "vfSignerInfo() returned %d\n", (int)ortn);
			fprintf(stderr, "         vfy status : ");
		}
		if(secTrust == NULL) {
			fprintf(stderr, "***NO SecTrust available!\n");
		}
		else {
			evalSecTrust(secTrust, quiet);
		}

		SecCmsSignerInfoRef signerInfo = SecCmsSignedDataGetSignerInfo(signedData, dex);
		CFStringRef emailAddrs = SecCmsSignerInfoGetSignerCommonName(signerInfo);
		char emailStr[1000];
		if(!quiet) {
			fprintf(stderr, "         signer     : ");
		}
		if(emailAddrs == NULL) {
			fprintf(stderr, "<<SecCmsSignerInfoGetSignerCommonName returned NULL)>>\n");
		}
		else {
			if(!CFStringGetCString(emailAddrs, emailStr, 1000, kCFStringEncodingASCII)) {
				fprintf(stderr, "*** Error converting email address to C string\n");
			}
			else if(!quiet) {
				
				fprintf(stderr, "%s\n", emailStr);
			}
		}
		if(parseSignerCert) {
			SecCertificateRef signer;
			signer = SecCmsSignerInfoGetSigningCertificate(signerInfo, NULL);
			if(signer) {
				CSSM_DATA certData;
				ortn = SecCertificateGetData(signer, &certData);
				if(ortn) {
					fprintf(stderr, "***Error getting signing cert data***\n");
					cssmPerror("SecCertificateGetData", ortn);
				}
				else {
					printf("========== Signer Cert==========\n\n");
					printCert(certData.Data, certData.Length, CSSM_FALSE);
					printf("========== End Signer Cert==========\n\n");
				}
			}
			else {
				fprintf(stderr, "***Error getting signing cert ***\n");
			}
		}
	}
	return ortn;
}

static OSStatus doParse(
	const unsigned char *data,
	unsigned			dataLen,
	const unsigned char *detachedData,
	unsigned			detachedDataLen,
	CT_Vfy				vfyOp,
	bool				parseSignerCert,
	bool				quiet,
	unsigned char		**outData,		// mallocd and RETURNED
	unsigned			*outDataLen)	// RETURNED
{
	if((data == NULL) || (dataLen == 0)) {
		fprintf(stderr, "***Parse requires input file. Aborting.\n");
		return paramErr;
	}
	
	SecArenaPoolRef arena = NULL;
	SecArenaPoolCreate(1024, &arena);
	SecCmsMessageRef cmsMsg = NULL;
	SecCmsDecoderRef decoder;
	OSStatus ortn;
	OSStatus ourRtn = noErr;
	bool foundOneSigned = false;
	bool foundOneEnveloped = false;
	
	ortn = SecCmsDecoderCreate(arena, NULL, NULL, NULL, NULL, NULL, NULL, &decoder);
	if(ortn) {
		cssmPerror("SecCmsDecoderCreate", ortn);
		return ortn;
	}
	ortn = SecCmsDecoderUpdate(decoder, data, dataLen);
	if(ortn) {
		cssmPerror("SecCmsDecoderUpdate", ortn);
		return ortn;
	}
	ortn = SecCmsDecoderFinish(decoder, &cmsMsg);
	if(ortn) {
		cssmPerror("SecCmsDecoderFinish", ortn);
		return ortn;
	}
	
	Boolean b = SecCmsMessageIsSigned(cmsMsg);
	switch(vfyOp) {
		case CTV_None:
			break;
		case CTV_Sign: 
			if(!b) {
				fprintf(stderr, "***Expected SignedData, but !SecCmsMessageIsSigned()\n");
				ourRtn = -1;
			}
			break;
		case CTV_SignEnvelop:
			if(!b) {
				fprintf(stderr, "***Expected Signed&Enveloped, but !SecCmsMessageIsSigned()\n");
				ourRtn = -1;
			}
			break;
		case CTV_Envelop:
			if(b) {
				fprintf(stderr, "***Expected EnvelopedData, but SecCmsMessageIsSigned() "
						"TRUE\n");
				ourRtn = -1;
			}
			break;
	}
	int numContentInfos = SecCmsMessageContentLevelCount(cmsMsg);
	if(!quiet) {
		fprintf(stderr, "=== CMS message info ===\n");
		fprintf(stderr, "   Signed           : %s\n", b ? "true" : "false");
		b = SecCmsMessageIsEncrypted(cmsMsg);
		fprintf(stderr, "   Encrypted        : %s\n", b ? "true" : "false");
		b = SecCmsMessageContainsCertsOrCrls(cmsMsg);
		fprintf(stderr, "   certs/crls       : %s\n", b ? "present" : "not present");
		fprintf(stderr, "   Num ContentInfos : %d\n", numContentInfos);
	}
	
	/* FIXME needs work for CTV_SignEnvelop */
	OidParser oidParser;
	for(int dex=0; dex<numContentInfos; dex++) {
		SecCmsContentInfoRef ci = SecCmsMessageContentLevel(cmsMsg, dex);
		if(!quiet) {
			/* can't use stderr - oidparser is fixed w/stdout */
			printf("   Content Info %d   :\n", dex);
			CSSM_OID *typeOid = SecCmsContentInfoGetContentTypeOID(ci);
			printf("      OID Tag       : ");
			if(typeOid == NULL) {
				printf("***NONE FOUND***]n");
			}
			else if(typeOid->Length == 0) {
				printf("***EMPTY***\n");
			}
			else {
				char str[OID_PARSER_STRING_SIZE];
				oidParser.oidParse(typeOid->Data, typeOid->Length, str);
				printf("%s\n", str);
			}
		}
		SECOidTag tag = SecCmsContentInfoGetContentTypeTag(ci);
		switch(tag) {
			case SEC_OID_PKCS7_SIGNED_DATA:
			{
				switch(vfyOp) {
					case CTV_None:		// caller doesn't care
					case CTV_Sign:		// got what we wanted
						break;
					case CTV_Envelop:
						fprintf(stderr, "***Expected EnvelopedData, got SignedData\n");
						ourRtn = -1;
						break;
					case CTV_SignEnvelop:
						printf("CTV_SignEnvelop code on demand\n");
						break;
				}
				foundOneSigned = true;
				SecCmsSignedDataRef sd = 
					(SecCmsSignedDataRef) SecCmsContentInfoGetContent(ci);
				parseSignedData(sd, arena, 
					detachedData, detachedDataLen,
					vfyOp, quiet, parseSignerCert);
				break;
			}
			case SEC_OID_PKCS7_DATA:
			case SEC_OID_OTHER:
			    break;
			case SEC_OID_PKCS7_ENVELOPED_DATA:
				foundOneEnveloped = true;
				if(vfyOp == CTV_Sign) {
					fprintf(stderr, "***Expected SignedData, EnvelopedData\n");
					ourRtn = -1;
					break;
				}
			case SEC_OID_PKCS7_ENCRYPTED_DATA:
				switch(vfyOp) {
					case CTV_None:
						break;
					case CTV_Sign:
						fprintf(stderr, "***Expected SignedData, got EncryptedData\n");
						ourRtn = -1;
						break;
					case CTV_Envelop:
						fprintf(stderr, "***Expected EnvelopedData, got EncryptedData\n");
						ourRtn = -1;
						break;
					case CTV_SignEnvelop:
						printf("CTV_SignEnvelop code on demand\n");
						break;
				}
				break;
			default:
				fprintf(stderr, "      other content type TBD\n");
		}
	}
	if(outData) {
		CSSM_DATA_PTR odata = SecCmsMessageGetContent(cmsMsg);
		if(odata == NULL) {
			fprintf(stderr, "***No inner content available\n");
		}
		else {
			*outData = (unsigned char *)malloc(odata->Length);
			memmove(*outData, odata->Data, odata->Length);
			*outDataLen = odata->Length;
		}
	}
	if(arena) {
		SecArenaPoolFree(arena, false);
	}
	switch(vfyOp) {
		case CTV_None:
			break;
		case CTV_Sign:
			if(!foundOneSigned) {
				fprintf(stderr, "Expected signed, never saw a SignedData\n");
				ourRtn = -1;
			}
			break;
		case CTV_Envelop:
			if(!foundOneEnveloped) {
				fprintf(stderr, "Expected enveloped, never saw an EnvelopedData\n");
				ourRtn = -1;
			}
			break;
		case CTV_SignEnvelop:
			if(!foundOneSigned) {
				fprintf(stderr, "Expected signed, never saw a SignedData\n");
				ourRtn = -1;
			}
			if(!foundOneEnveloped) {
				fprintf(stderr, "Expected enveloped, never saw an EnvelopedData\n");
				ourRtn = -1;
			}
			break;
	}
	/* free decoder? cmsMsg? */
	return ourRtn;
}

/*
 * Common encode routine.
 */
#if 1
/* the simple way, when 3655861 is fixed */
static OSStatus encodeCms(
	SecCmsMessageRef	cmsMsg,
	const unsigned char *inData,		// add in this
	unsigned			inDataLen,
	unsigned char		**outData,		// mallocd and RETURNED
	unsigned			*outDataLen)	// RETURNED
{
	SecArenaPoolRef arena = NULL;
	SecArenaPoolCreate(1024, &arena);
	CSSM_DATA cdataIn = {inDataLen, (uint8 *)inData};
	CSSM_DATA cdataOut = {0, NULL};

	OSStatus ortn = SecCmsMessageEncode(cmsMsg, &cdataIn, arena, &cdataOut);
	if((ortn == noErr) && (cdataOut.Length != 0)) {
		*outData = (unsigned char *)malloc(cdataOut.Length);
		memmove(*outData, cdataOut.Data, cdataOut.Length);
		*outDataLen = cdataOut.Length;
	}
	else {
		cssmPerror("SecCmsMessageEncode", ortn);
		*outData = NULL;
		*outDataLen = 0;
	}
	SecArenaPoolFree(arena, false);
	return ortn;
}

#else

/* the hard way back when SecCmsMessageEncode() didn't work */
static OSStatus encodeCms(
	SecCmsMessageRef	cmsMsg,
	const unsigned char *inData,		// add in this
	unsigned			inDataLen,
	unsigned char		**outData,		// mallocd and RETURNED
	unsigned			*outDataLen)	// RETURNED
{
	SecArenaPoolRef arena = NULL;
	SecArenaPoolCreate(1024, &arena);
	SecCmsEncoderRef cmsEnc = NULL;
	CSSM_DATA output = { 0, NULL };
	OSStatus ortn;
	
	ortn = SecCmsEncoderCreate(cmsMsg, 
		NULL, NULL,			// no callback 
		&output, arena,		// data goes here
		NULL, NULL,			// no password callback (right?) 
		NULL, NULL,			// decrypt key callback
		NULL, NULL,			// detached digests
		&cmsEnc);
	if(ortn) {
		cssmPerror("SecKeychainItemCopyKeychain", ortn);
		goto errOut;
	}
	ortn = SecCmsEncoderUpdate(cmsEnc, (char *)inData, inDataLen);
	if(ortn) {
		cssmPerror("SecCmsEncoderUpdate", ortn);
		goto errOut;
	}
	ortn = SecCmsEncoderFinish(cmsEnc);
	if(ortn) {
		cssmPerror("SecCMsEncoderFinish", ortn);
		goto errOut;
	}
	
	/* Did we get any data? */
	if(output.Length) {
		*outData = (unsigned char *)malloc(output.Length);
		memmove(*outData, output.Data, output.Length);
		*outDataLen = output.Length;
	}
	else {
		*outData = NULL;
		*outDataLen = 0;
	}
errOut:
	if(arena) {
		SecArenaPoolFree(arena, false);
	}
	return ortn;
}

#endif

static OSStatus doSign(
	SecIdentityRef		signerId,
	const unsigned char *inData,
	unsigned			inDataLen,
	bool				detachedContent,
	const CSSM_OID		*eContentType,	// OPTIONAL 
	unsigned char		**outData,		// mallocd and RETURNED
	unsigned			*outDataLen)	// RETURNED
{
	if((inData == NULL) || (inDataLen == 0) || (outData == NULL)) {	
		fprintf(stderr, "***Sign requires input file. Aborting.\n");
		return paramErr;
	}
	if(signerId == NULL) {
		fprintf(stderr, "***Sign requires a signing identity. Aborting.\n");
		return paramErr;
	}
	
	SecCmsMessageRef cmsMsg = NULL;
    SecCmsContentInfoRef contentInfo = NULL;
    SecCmsSignedDataRef signedData = NULL;
	SecCertificateRef ourCert = NULL;
    SecCmsSignerInfoRef signerInfo;
	OSStatus ortn;
	SecKeychainRef ourKc = NULL;
	
	ortn = SecIdentityCopyCertificate(signerId, &ourCert);
	if(ortn) {
		cssmPerror("SecIdentityCopyCertificate", ortn);
		return ortn;
	}
	ortn = SecKeychainItemCopyKeychain((SecKeychainItemRef)ourCert, &ourKc);
	if(ortn) {
		cssmPerror("SecKeychainItemCopyKeychain", ortn);
		goto errOut;
	}
	
    // build chain of objects: message->signedData->data
	cmsMsg = SecCmsMessageCreate(NULL);
	if(cmsMsg == NULL) {
		fprintf(stderr, "***Error creating SecCmsMessageRef\n");
		ortn = -1;
		goto errOut;
	}
	signedData = SecCmsSignedDataCreate(cmsMsg);
	if(signedData == NULL) {
		printf("***Error creating SecCmsSignedDataRef\n");
		ortn = -1;
		goto errOut;
	}
	contentInfo = SecCmsMessageGetContentInfo(cmsMsg);
	ortn = SecCmsContentInfoSetContentSignedData(cmsMsg, contentInfo, signedData);
	if(ortn) {
		cssmPerror("SecCmsContentInfoSetContentSignedData", ortn);
		goto errOut;
	}
    contentInfo = SecCmsSignedDataGetContentInfo(signedData);
	if(eContentType != NULL) {
		ortn = SecCmsContentInfoSetContentOther(cmsMsg, contentInfo, 
			NULL /* data */, 
			detachedContent,
			eContentType);
		if(ortn) {
			cssmPerror("SecCmsContentInfoSetContentData", ortn);
			goto errOut;
		}
	}
	else {
		ortn = SecCmsContentInfoSetContentData(cmsMsg, contentInfo, NULL /* data */, 
			detachedContent);
		if(ortn) {
			cssmPerror("SecCmsContentInfoSetContentData", ortn);
			goto errOut;
		}
	}
	
    /* 
     * create & attach signer information
     */
    signerInfo = SecCmsSignerInfoCreate(cmsMsg, signerId, SEC_OID_SHA1);
    if (signerInfo == NULL) {
		fprintf(stderr, "***Error on SecCmsSignerInfoCreate\n");
		ortn = -1;
		goto errOut;
	}
    /* we want the cert chain included for this one */
	/* FIXME - what's the significance of the usage? */
	ortn = SecCmsSignerInfoIncludeCerts(signerInfo, SecCmsCMCertChain, certUsageEmailSigner);
	if(ortn) {
		cssmPerror("SecCmsSignerInfoIncludeCerts", ortn);
		goto errOut;
	}
	
	/* other options go here - signing time, etc. */

	ortn = SecCmsSignerInfoAddSMIMEEncKeyPrefs(signerInfo, ourCert, ourKc);
	if(ortn) {
		cssmPerror("SecCmsSignerInfoAddSMIMEEncKeyPrefs", ortn);
		goto errOut;
	}
	ortn = SecCmsSignedDataAddCertificate(signedData, ourCert);
	if(ortn) {
		cssmPerror("SecCmsSignedDataAddCertificate", ortn);
		goto errOut;
	}

	ortn = SecCmsSignedDataAddSignerInfo(signedData, signerInfo);
	if(ortn) {
		cssmPerror("SecCmsSignedDataAddSignerInfo", ortn);
		goto errOut;
	}

	/* go */
	ortn = encodeCms(cmsMsg, inData, inDataLen, outData, outDataLen);
errOut:
	/* free resources */
	if(cmsMsg) {
		SecCmsMessageDestroy(cmsMsg);
	}
	if(ourCert) {
		CFRelease(ourCert);
	}
	if(ourKc) {
		CFRelease(ourKc);
	}
	return ortn;
}

static OSStatus doEncrypt(
	SecCertificateRef   recipCert,		// eventually more than one
	const unsigned char *inData,
	unsigned			inDataLen,
	unsigned char		**outData,		// mallocd and RETURNED
	unsigned			*outDataLen)	// RETURNED
{
	if((inData == NULL) || (inDataLen == 0) || (outData == NULL)) {	
		fprintf(stderr, "***Encrypt requires input file. Aborting.\n");
		return paramErr;
	}
	if(recipCert == NULL) {
		fprintf(stderr, "***Encrypt requires a recipient certificate. Aborting.\n");
		return paramErr;
	}
	
	SecCmsMessageRef cmsMsg = NULL;
    SecCmsContentInfoRef contentInfo = NULL;
    SecCmsEnvelopedDataRef envelopedData = NULL;
	SecCmsRecipientInfoRef recipientInfo = NULL;
	OSStatus ortn;
	SecCertificateRef allCerts[2] = { recipCert, NULL};
	
	SECOidTag algorithmTag;
    int keySize;
	
	ortn = SecSMIMEFindBulkAlgForRecipients(allCerts, &algorithmTag, &keySize);
	if(ortn) {
		cssmPerror("SecSMIMEFindBulkAlgForRecipients", ortn);
		return ortn;
	}
	
    // build chain of objects: message->envelopedData->data
	cmsMsg = SecCmsMessageCreate(NULL);
	if(cmsMsg == NULL) {
		fprintf(stderr, "***Error creating SecCmsMessageRef\n");
		ortn = -1;
		goto errOut;
	}
	envelopedData = SecCmsEnvelopedDataCreate(cmsMsg, algorithmTag, keySize);
	if(envelopedData == NULL) {
		fprintf(stderr, "***Error creating SecCmsEnvelopedDataRef\n");
		ortn = -1;
		goto errOut;
	}
	contentInfo = SecCmsMessageGetContentInfo(cmsMsg);
	ortn = SecCmsContentInfoSetContentEnvelopedData(cmsMsg, contentInfo, envelopedData);
	if(ortn) {
		cssmPerror("SecCmsContentInfoSetContentEnvelopedData", ortn);
		goto errOut;
	}
    contentInfo = SecCmsEnvelopedDataGetContentInfo(envelopedData);
	ortn = SecCmsContentInfoSetContentData(cmsMsg, contentInfo, NULL /* data */, false);
	if(ortn) {
		cssmPerror("SecCmsContentInfoSetContentData", ortn);
		goto errOut;
	}
	
    /* 
     * create & attach recipient information
     */
	recipientInfo = SecCmsRecipientInfoCreate(cmsMsg, recipCert);
	ortn = SecCmsEnvelopedDataAddRecipient(envelopedData, recipientInfo);
	if(ortn) {
		cssmPerror("SecCmsEnvelopedDataAddRecipient", ortn);
		goto errOut;
	}


	/* go */
	ortn = encodeCms(cmsMsg, inData, inDataLen, outData, outDataLen);
errOut:
	/* free resources */
	if(cmsMsg) {
		SecCmsMessageDestroy(cmsMsg);
	}
	return ortn;
}

/* create nested message: msg = EnvelopedData(SignedData(inData)) */
static OSStatus doSignEncrypt(
	SecCertificateRef   recipCert,		// encryption recipient
	SecIdentityRef		signerId,		// signer
	const CSSM_OID		*eContentType,	// OPTIONAL - for signedData
	const unsigned char *inData,
	unsigned			inDataLen,
	unsigned char		**outData,		// mallocd and RETURNED
	unsigned			*outDataLen)	// RETURNED
{
	if((inData == NULL) || (inDataLen == 0) || (outData == NULL)) {	
		fprintf(stderr, "***Sign/Encrypt requires input file. Aborting.\n");
		return paramErr;
	}
	if(recipCert == NULL) {
		fprintf(stderr, "***Sign/Encrypt requires a recipient certificate. Aborting.\n");
		return paramErr;
	}
	if(signerId == NULL) {
		fprintf(stderr, "***Sign/Encrypt requires a signer Identity. Aborting.\n");
		return paramErr;
	}
	
	OSStatus ortn;
	unsigned char *signedData = NULL;
	unsigned signedDataLen = 0;
	SecCmsMessageRef cmsMsg = NULL;
    SecCmsContentInfoRef contentInfo = NULL;
    SecCmsEnvelopedDataRef envelopedData = NULL;
	SecCmsRecipientInfoRef recipientInfo = NULL;
	SecCertificateRef allCerts[2] = { recipCert, NULL};
	SECOidTag algorithmTag;
    int keySize;
	
	/* first get a SignedData */	
	ortn = doSign(signerId, inData, inDataLen, 
		false,		/* can't do detached content here */
		eContentType, 
		&signedData, &signedDataLen);
	if(ortn) {
		printf("***Error generating inner signedData. Aborting.\n");
		return ortn;
	}
	
	/* extract just the content - don't need the whole ContentINfo */
	unsigned char *signedDataContent = NULL;
	unsigned signedDataContentLen = 0;
	ortn = ContentInfoContent(signedData, signedDataLen, &signedDataContent, &signedDataContentLen);
	if(ortn) {
		goto errOut;
	}
	
	/* now wrap that in an EnvelopedData */
	ortn = SecSMIMEFindBulkAlgForRecipients(allCerts, &algorithmTag, &keySize);
	if(ortn) {
		cssmPerror("SecSMIMEFindBulkAlgForRecipients", ortn);
		return ortn;
	}
	
    // build chain of objects: message->envelopedData->data
	cmsMsg = SecCmsMessageCreate(NULL);
	if(cmsMsg == NULL) {
		fprintf(stderr, "***Error creating SecCmsMessageRef\n");
		ortn = -1;
		goto errOut;
	}
	envelopedData = SecCmsEnvelopedDataCreate(cmsMsg, algorithmTag, keySize);
	if(envelopedData == NULL) {
		fprintf(stderr, "***Error creating SecCmsEnvelopedDataRef\n");
		ortn = -1;
		goto errOut;
	}
	contentInfo = SecCmsMessageGetContentInfo(cmsMsg);
	ortn = SecCmsContentInfoSetContentEnvelopedData(cmsMsg, contentInfo, envelopedData);
	if(ortn) {
		cssmPerror("SecCmsContentInfoSetContentEnvelopedData", ortn);
		goto errOut;
	}
    contentInfo = SecCmsEnvelopedDataGetContentInfo(envelopedData);
	
	/* here's the difference: we override the 'data' content with a SignedData type,
	 * but we fool the smime lib into thinking it's a plain old data so it doesn't try
	 * to encode the SignedData */
	ortn = SecCmsContentInfoSetContentOther(cmsMsg, contentInfo, 
		NULL /* data */, 
		false,
		&CSSMOID_PKCS7_SignedData);
	if(ortn) {
		cssmPerror("SecCmsContentInfoSetContentData", ortn);
		goto errOut;
	}
	
    /* 
     * create & attach recipient information
     */
	recipientInfo = SecCmsRecipientInfoCreate(cmsMsg, recipCert);
	ortn = SecCmsEnvelopedDataAddRecipient(envelopedData, recipientInfo);
	if(ortn) {
		cssmPerror("SecCmsEnvelopedDataAddRecipient", ortn);
		goto errOut;
	}

	 
	/* go */
	ortn = encodeCms(cmsMsg, signedDataContent, signedDataContentLen, outData, outDataLen);
errOut:
	/* free resources */
	if(cmsMsg) {
		SecCmsMessageDestroy(cmsMsg);
	}
	if(signedData) {
		free(signedData);
	}
	if(signedDataContent) {
		free(signedDataContent);
	}
	return ortn;
}

int main(int argc, char **argv)
{
	if(argc < 2) {
		usage(argv);
	}
	
	CT_Op op;
	bool needId = false;
	if(!strcmp(argv[1], "sign")) {
		op = CTO_Sign;
		needId = true;
	}
	else if(!strcmp(argv[1], "envel")) {
		op = CTO_Envelop;
	}
	else if(!strcmp(argv[1], "signEnv")) {
		op = CTO_SignEnvelop;
		needId = true;
	}
	else if(!strcmp(argv[1], "parse")) {
		op = CTO_Parse;
	}
	else {
		fprintf(stderr, "***Unrecognized cmd.\n");
		usage(argv);
	}

	extern int optind;
	extern char *optarg;
	int arg;
	
	/* optional args */
	const char *keychainName = NULL;
	char *inFileName = NULL;
	char *outFileName = NULL;
	bool detachedContent = false;
	char *detachedFile = NULL;
	bool useIdPicker = false;
	char *recipient = NULL;
	bool quiet = false;
	bool parseSignerCert = false;
	CT_Vfy vfyOp = CTV_None;
	const CSSM_OID *eContentType = NULL;
	
	optind = 2;
	while ((arg = getopt(argc, argv, "i:o:k:pr:e:dD:qcv:")) != -1) {
		switch (arg) {
			case 'i':
				inFileName = optarg;
				break;
			case 'o':
				outFileName = optarg;
				break;
			case 'k':
				keychainName = optarg;
				break;
			case 'p':
				useIdPicker = true;
				break;
			case 'r':
				recipient = optarg;
				break;
			case 'c':
				parseSignerCert = true;
				break;
			case 'v':
				if(!strcmp(optarg, "sign")) {
					vfyOp = CTV_Sign;
				}
				else if(!strcmp(optarg, "encr")) {
					vfyOp = CTV_Envelop;
				}
				else if(!strcmp(optarg, "signEnv")) {
					vfyOp = CTV_SignEnvelop;
				}
				else {
					usage(argv);
				}
				break;
			case 'e':
				switch(optarg[0]) {
					case 'a':
						eContentType = &CSSMOID_PKINIT_AUTH_DATA;
						break;
					case 'r':
						eContentType = &CSSMOID_PKINIT_RKEY_DATA;
						break;
					default:
						usage(argv);
				}
				break;
			case 'd':
				if(op != CTO_Sign) {
					printf("-d only valid for op sign\n");
					exit(1);
				}
				detachedContent = true;
				break;
			case 'D':
				if(op != CTO_Parse) {
					printf("-D only valid for op sign\n");
					exit(1);
				}
				detachedFile = optarg;
				break;
			case 'q':
				quiet = true;
				break;
			default:
			case '?':
				usage(argv);
		}
	}
	if(optind != argc) {
		/* getopt does not return '?' */
		usage(argv);
	}
	
	SecIdentityRef idRef = NULL;
	SecKeychainRef kcRef = NULL;
	SecCertificateRef recipientCert = NULL;
	unsigned char *inData = NULL;
	unsigned inDataLen = 0;
	unsigned char *outData = NULL;
	unsigned outDataLen = 0;
	unsigned char *detachedData = NULL;
	unsigned detachedDataLen = 0;
	OSStatus ortn;
	
	if(inFileName) {
		if(readFile(inFileName, &inData, &inDataLen)) {
			fprintf(stderr, "***Error reading infile %s. Aborting.\n", inFileName);
			exit(1);
		}
	}
	if(detachedFile) {
		if(readFile(detachedFile, &detachedData, &detachedDataLen)) {
			fprintf(stderr, "***Error reading detachedFile %s. Aborting.\n", detachedFile);
			exit(1);
		}
	}
	if(keychainName) {
		ortn = SecKeychainOpen(keychainName, &kcRef);
		if(ortn) {
			cssmPerror("SecKeychainOpen", ortn);
			exit(1);
		}
	}
	if(useIdPicker) {
		ortn = sslSimpleIdentPicker(kcRef, &idRef);
		if(ortn) {
			fprintf(stderr, "***Error obtaining identity via picker. Aborting.\n");
			exit(1);
		}
	}
	else if(needId) {
		/* use first identity in specified keychain */
		CFArrayRef array = sslKcRefToCertArray(kcRef, CSSM_FALSE, CSSM_FALSE, 
			NULL,		// no verify policy
			NULL);
		if(array == NULL) {
			fprintf(stderr, "***Error finding a signing cert. Aborting.\n");
			exit(1);
		}
		idRef = (SecIdentityRef)CFArrayGetValueAtIndex(array, 0);
		if(idRef == NULL) {
			fprintf(stderr, "***No identities found. Aborting.\n");
			exit(1);
		}
		CFRetain(idRef);
		CFRelease(array);
	}
	if(recipient) {
		ortn = findCert(recipient, kcRef, &recipientCert);
		if(ortn) {
			exit(1);
		}
	}
	
	switch(op) {
		case CTO_Sign:
			ortn = doSign(idRef, inData, inDataLen, 
				detachedContent, eContentType, 
				&outData, &outDataLen);
			break;
		case CTO_Envelop:
			if(recipientCert == NULL) {
				if(idRef == NULL) {
					printf("***Need a recipient or an identity to encrypt\n");
					exit(1);
				}
				ortn = SecIdentityCopyCertificate(idRef, &recipientCert);
				if(ortn) {
					cssmPerror("SecIdentityCopyCertificate", ortn);
					exit(1);
				}
			}
			ortn = doEncrypt(recipientCert, inData, inDataLen, &outData, &outDataLen);
			break;
		case CTO_SignEnvelop:
			ortn = doSignEncrypt(recipientCert, idRef, eContentType,
				inData, inDataLen, &outData, &outDataLen);
			break;
		case CTO_Parse:
			ortn = doParse(inData, inDataLen, 
				detachedData, detachedDataLen,
				vfyOp, parseSignerCert, quiet,
				&outData, &outDataLen);
			break;
	}
	if(ortn) {
		goto errOut;
	}
	if(outData && outFileName) {
		if(writeFile(outFileName, outData, outDataLen)) {
			fprintf(stderr, "***Error writing to %s.\n", outFileName);
			ortn = -1;
		}
		else {
			if(!quiet) {
				fprintf(stderr, "...wrote %u bytes to %s.\n", outDataLen, outFileName);
			}
		}
	}
	else if(outData) {
		fprintf(stderr, "...generated %u bytes but no place to write it.\n", outDataLen);
	}
	else if(outFileName) {
		fprintf(stderr, "...nothing to write to file %s.\n", outFileName);
		/* assume this is an error, caller wanted something */
		ortn = -1;
	}
errOut:
	return ortn;
}